Well then you could use a sandbox (e.g. bubblewrap) to mount whatever on /etc/ssl. Or you could recompile libressl with a different --sysconfdir and LD_PRELOAD it.
Sure, I could. But it is more complex. And my (probably wrong) opinion is that at the point where you can inject environment variables, the game is pretty much over anyway (you can probably make more harm with LD_PRELOAD compared to SSL_CERT_FILE). So I am not convinced about the value this limitation brings in.